Virtual peer-to-peer payments are the currency of the pandemic: the coin of the Covid-19 realm. In a world where no one wants to come close enough to exchange money (and possibly germs too), use of payment apps like PayPal, Venmo, Cash App and Zelle has exploded.
Between April and June, Paypal processed more than $220 billion in transactions, a nearly 30% year-over-year increase. Similarly, in the second quarter of 2020, Venmo, which is owned by PayPal, processed $37 billion in transactions, a 52% increase over the year before. And in July, Early Warning Services, the parent company of the mobile payment platform Zelle, reported that the number of users who had sent a payment through the service in the last 90 days was up 43% over the previous year.
But while payment apps can help protect users from the dangers of person-to-person Covid-19 transmission, these virtual systems introduce problems of their own. Using a payment app of any kind, no matter how privacy-preserving it is, always introduces an intermediary: an agent that uses data to execute a demand. Apps can’t send money if they don’t have some kind of access to the account from which users send and receive money. And not all apps treat that data the same way.
What data do apps collect and why?
All pay apps say they need access to certain personal information, including names, Social Security number and bank account numbers. They also collect information about activity in the app, such as transaction histories that show when and where and for whom users made or received payments.
Apps may also connect to biometric information like Face ID or Touch ID, saying they need to as a security measure. And some, like Venmo and Cash App, also say they collect lists of contacts so it’s easier for users to find their friends and send payments to the right person.
But while apps may need this information to run their services effectively, they may also profit from the data users divulge.
“It’s very likely customers don’t realize companies are monetizing their transaction information,” says Alan Butler, interim executive director at the Electronic Privacy Information Center (EPIC).
Butler says it’s commonplace in the financial services industry for individuals to use financial services for free, so consumers often don’t think about how those systems make money.
Some, but not all, payment apps do so by sharing data.
What data do pay apps share, and who’s doing It?
PayPal discloses that, in addition to sharing data with financial institutions and credit and fraud detection agencies, the company shares data that may include email, device ID, and IP address with many third parties, including Google, Facebook, Twitter and AdRoll for advertising purposes. Similarly, Venmo says it shares geolocation data for advertising purposes.
Cash App specifies that it shares information with third parties, including Google, but that the data is aggregated and anonymized so individual user identities are protected.
Notably, Google Pay does not sell or share data with third parties, and Apple Cash collects only users’ contact information, bank account number and Social Security number, and their transaction and credit histories. Neither app collects geolocation data or browsing histories of its users, and neither shares information with advertisers. While Zelle’s website collects and sells information about browsing history, the app itself does not sell information about user behavior to third-party advertisers.
When it comes to sharing information with law enforcement, Venmo, PayPal, Cash App and Zelle all specify in their privacy policies that they cooperate with law enforcement if subpoenaed, but those policies do not say whether the company would inform users if that happened.
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation (EFF), says companies should tell users if and when their information is subpoenaed, which could then give app users a chance to challenge the request in court.
At the moment, she says, “If they just hand that information over, you will not know until it’s way too late.”
There are other privacy issues to consider as well: PayPal has reportedly locked sex workers out of their accounts. In the past, the company also threatened to close accounts or stop processing payments for legal goods like erotic books containing descriptions of incest, rape or bestiality, and threatened to shut down booksellers’ accounts if they refused to remove listings for such books (PayPal significantly narrowed this policy in 2020).
Venmo is unique
Venmo’s social media-esque timeline automatically reveals user transactions to anyone on the app, which leaves its users (at least those who don’t opt to make payments private) uniquely exposed.
In 2017, a Mozilla Fellow named Hang Do Thi Duc created Public by Default, a website that tells the stories of five unsuspecting Venmo users. Duc traced their drug deals, snack choices, lovers’ quarrels and loan payments using only their public Venmo timelines. Combine such information with other data sets, and bad actors could use Venmo data to deanonymize the same Venmo users in other situations, potentially revealing highly personal information.
In 2019, another researcher, Dan Salmon, used an API to scrape Venmo’s public database and collected information about 7 million users.
Salmon says that Venmo has since slowed the scrape rate on its website, so programs can’t gather data as fast as he did. But he says the basic underlying problem remains.
“The app overall seems very secure,” he wrote in an email to The Markup. “My only issue is that I believe that people for the most part don’t realize that their transaction data is public by default.” He adds that for any app, advertising revenue can run counter to privacy concerns.
“The safety and privacy of PayPal and Venmo customers and their information is always a top priority,” Zoe Bendes, a spokesperson for Venmo’s parent company Paypal, wrote to The Markup. “Our customers trust us with their money and their personal information, and we take this responsibility very seriously, as well as our legal obligations in accordance with all applicable privacy laws.”
In an email to The Markup, Gennie Gebhart, activism director at EFF, said the company has not formally responded to EFF’s concerns or criticisms. “Among the various companies we direct campaigns and criticism at, Venmo stands out to me as being one of the least responsive,” she wrote.
What can users do to keep their info private?
That depends on the app. Some information, like bank account numbers, name and transaction history, is necessary if users want to use the service. But these apps can work without certain features, if users want to share less data.
Cash App allows users to opt in to share their contacts, and uploading a photo is optional.
Most apps also allow users to change their settings to disable or decline cookies from tracking browser histories and to turn off geolocation sharing.
Because these options require users to take initiative and opt out from these services, the likelihood of that happening rests on how easy it is to actually understand companies’ privacy policies.
“Consumers have a right to understand,” says Kaili Lambe, a senior US campaigner at the Mozilla Foundation. She says privacy policies should be as concise as possible and shouldn’t be full of legalese that could confuse users.
But that’s not always the case.
Mostly, experts suggest that people consider privacy each time they make a purchase and choose their payment method accordingly.
“The payment that you make to your yoga instructor may have different concerns than the payment that you make for your mortgage or your deductible on your insurance when you’re getting cancer treatment,” says the EFF’s Galperin.
Cash and checks are still an option for transactions you truly want to keep private, she says.
“Really just think about the transaction and who do you want to know about this.”
Tell us: Are there certain times that you won’t use a pay app, even during a pandemic? We’re interested in your privacy boundaries. Email email@example.com.